Back to Course
Introduction to AWS Security
0% Complete
0/0 Steps
-
Introduction
About the course and authors -
AWS cloud architecture
-
Security concerns with our architecture
-
Regions and Availability Zones (AZs)
-
Shared responsibility in the cloud
-
[Cheat Sheet] AWS Security Services
-
Create a billing alert to avoid surprise bills
-
Infrastructure SecurityVPC networks
-
Default VPCs
-
[DEMO] Creating VPCs and Subnets
-
How many VPCs should you use?
-
[DEMO] Subnet, Route Table, and Gateway Configurations
-
[LAB] [Challenge] Create a VPC with public and private subnets
-
[LAB] Launching an EC2 instance
-
[DEMO] Security Groups (SGs)
-
Security Groups Best Practices
-
[DEMO] Network Access Control Lists (NACLs)
-
[Cheat Sheet] SGs vs. NACLs
-
[LAB] [Challenge] Configure security groups and NACLs to specific requirements
-
Elastic Load Balancers
-
[DEMO] AWS WAF
-
[LAB] [Challenge] Deploy AWS WAF ACL for Application Load Balancer
-
[DEMO] AWS Network Firewall - Part 1
-
[DEMO] AWS Network Firewall - Part 2
-
AWS Shield for DDoS Protection
-
[LAB] Reduce AWS attack surface with port scanning and Security Groups
-
AWS Firewall Manager
-
Identity and Access Management (IAM)Key Concepts of IAM in AWS
-
[DEMO] Getting started with IAM in AWS
-
[DEMO] Creating our first admin user
-
Assigning permissions with policies
-
[Cheat Sheet] Anatomy of an AWS IAM Policy
-
[DEMO] Using Identity Center AWS SSO
-
IAM Roles
-
[DEMO] Creating a role for EC2 instances to access S3 buckets
-
End-User Management with Amazon Cognito
-
IAM Access Analyzer
-
[DEMO] IAM Access Analyzer Unused Access
-
[LAB] Check policies for new access before deployment with IAM Access Analyzer
-
[LAB] Check IAM policies against a deny list with IAM Access Analyzer
-
[LAB] IAM Credentials Report
-
Data ProtectionData protection in the cloud
-
EBS Data Protection and Encryption
-
[LAB] Encrypt Existing Unencrypted EBS Volumes and Snapshots
-
Amazon RDS Data Protection and Encryption
-
Key Management with AWS KMS
-
[Cheat Sheet] Getting Started with AWS KMS
-
[DEMO] Creating a Symmetric Encryption KMS Key
-
[Cheat Sheet] Encrypt and Decrypt Data with KMS and Data Keys
-
[LAB] Encrypt and Decrypt Data with KMS and Data Keys
-
Amazon S3 Bucket ProtectionUnderstanding Bucket Ownership
-
[LAB] Creating Buckets and Uploading Objects in S3
-
Managing Access to Buckets
-
[Cheat Sheet] S3 Bucket Policies vs. ACLs vs. IAM Policies
-
[LAB] [Challenge] Create an IAM role for secure access to S3 based on a scenario
-
Using Signed URLs
-
[LAB] S3 Presigned URLs
-
Encrypting S3 Data
-
[DEMO] Enable S3 Object Versioning
-
[Cheat Sheet] Amazon S3 Protection Summary
-
[Cheat Sheet] Create a least privilege S3 bucket policy
-
AWS Log Types and Auditing Options
-
Logging, Monitoring, and Incident Response[DEMO] Enable S3 Server Access Logs
-
AWS CloudTrail
-
Amazon CloudWatch
-
[DEMO] CloudTrail Security Automation with CloudWatch Logs and SNS
-
[LAB] Amazon VPC Flow Logs
-
Proper Logging and Monitoring
-
Amazon GuardDuty
-
[LAB] [DEMO] Enable Threat Detection with GuardDuty
-
[DEMO] Amazon EventBridge
-
AWS Config
-
AWS Systems Manager
-
[LAB] Secure EC2 Access with SSM Session Manager and KMS
-
[DEMO] AWS Config Automated Remediation with SSM
-
[LAB] Automated S3 Remediation to Enforce Block Public Access
-
[LAB] Remediate Open SSH Security Groups with AWS Config and SSM
-
Amazon Detective
-
[DEMO] Amazon Inspector
-
[LAB] Find vulnerable Lambda Functions with Amazon Inspector
-
About Amazon Macie
-
[DEMO] Deploying Amazon Macie
-
[DEMO] AWS Security Hub CSPM
-
[DEMO] Must-have AWS monitoring and alerting with SSK
-
[DEMO] AWS Organizations
-
Multi-Account Security[DEMO] Centrally managing root access
-
[DEMO] AWS SCPs and Management Policies
-
[DEMO] Resource Control Policies (RCPs)
-
AWS Control Tower
-
[DEMO] Using RAM to share resources across accounts
-
About IaC
-
Infrastructure as Code (IaC)[DEMO] Deploying resources with CloudFormation
-
[DEMO] Deploying a Lambda function with CloudFormation
-
[DEMO] Multi-account and multi-region deployments
-
[DEMO] Detecting drift
-
[LAB] CloudFormation Guard
-
[DEMO] Using AWS Service Catalog - Part 1
-
[DEMO] Using AWS Service Catalog - Part 2
-
[DEMO] Getting started with the Cloud Development Kit (CDK)
-
[DEMO] Deploying a project with the CDK
-
Wrap-up and Key TakeawaysWhat next?
Lesson 54 of 101
In Progress
[Cheat Sheet] S3 Bucket Policies vs. ACLs vs. IAM Policies
Christophe June 26, 2023
| S3 Bucket Policies | S3 ACLs | IAM Policies | |
|---|---|---|---|
| Scope | Applied to an S3 bucket to control bucket access, but can also control specific object permissions | Applied to buckets or to an individual object. Older access control method that’s no longer recommended to use if it can be avoided | Applied to IAM users, groups, and roles across the AWS account |
| Syntax | JSON-based policies | XML-based policies written in a specific format | JSON-based policies |
| Flexibility | Provide granular control with powerful conditions and fine-grained permissions | Provide basic access control but have fewer options for advanced permissions | Provide centralized access management for various AWS services, not just S3 |
| Permissions | Can define access controls for both bucket-level and object-level operations | Can define access controls for individual objects and bucket-level operations, such as READ, WRITE, READ_ACP, WRITE_ACP, and FULL_CONTROL | Can define access controls for various AWS services, including S3, at a fine-grained level |
| Principal-Based | Identify the principal (role, user, group, or AWS account) and define their access permissions | Identify the user or group and define their access permissions | Define permissions for IAM users, groups, and roles by attaching policies to them |
| IAM Integration | Can reference IAM users, groups, and roles in policies to grant additional permissions or restrict access | Can use canonical user IDs to grant permissions to an AWS account (or even email addresses but they get converted to canonical user IDs), or can use a URI to grant permissions to a predefined group | Create and manage IAM policies separately from S3 bucket policies. IAM policies can be attached to IAM entities for S3 access control |
| Examples | Grant read access to all objects in a bucket to a specific IAM role | Grant write access to a specific object to an external AWS account user | Grant full access to an S3 bucket to an IAM group, while restricting delete permissions for specific IAM users |
Or download it:

Responses